Easy KeygenMe !! [Archive] - RCE Messageboard's Regroupment

kami13x

March 3rd, 2006, 07:46

This kengen me is very hard !!

from now on , i dont see this kengen me .

most of kengen me , trace with ollydbg , then apperance in (eax,ebx,ecx or etc)

this kenge me is not apperance serial name in ollydbg.

key routine is calcuration cmp.

no error msg. no packing.

solving a rule : no change name (hansir) then find serial name.

i want to serial name and solving method... plz. help me T-T

i`m from kor. -_-

wtbw

March 3rd, 2006, 08:23

This file does appear to be a keygenme, but it is infected with Parite.B as well...

I suggest you scan your system if this was not deliberate.

As for the keygenme itself, I suggest you make a note of exactly what it does with the serial it reads in line by line (between 4012db and 40137a, see how the serial has been read into memory at that point?). Then work backwards, and try to think how you can "undo" each step. It's not too complicated :-)

Cheers,

Will

ZaiRoN

March 3rd, 2006, 12:08

kami13x,
will you upload a cleaned version of the keygenme? Do you have a link to it?

wtbw

March 3rd, 2006, 18:24

Here you go, I'm pretty sure this is totally clean... I removed the bad section and fixed the imports it moved, and put the EP back. It's small enough to analyse completely if you're unsure.

Cheers,

Will

kami13x

March 4th, 2006, 00:46

- - sorry T-T No, deliberate !!

my system is infected with Parite.B as well.

i dont know either. my system isnt setup virus program -_-

thank you . wtbw .

now , scan my system .. more 200 files infected with Parite.B

ZaiRoN

March 4th, 2006, 06:26

Ok, I moved the thread in the Mini Project Area. The keygenme is really easy and it might be a nice exercize for those whom want to learn how to reverse simple instructions.

The idea behind the keygenme is:
1. perform a calculation over the name's characters obtaining a number, call it numberFromName
2. perform a calculation over the serial obtaining a number, call it numberFromSerial
3 compare numberFromName with numberFromSerial
The only thing to do is to understand how numberFromSerial is obtained and then you have to try to reverse the process, nothing more.

Some questions that might help you in the reverse engeneering process of the keygenme:
1. Where is the numberFromName stored?
2. Where is the routine over the serial, I mean which are the initial and the end addresses of the routine performing the calculation over the serial?
3. Can you reverse all the instructions used in the routine?

Good luck

LLXX

March 4th, 2006, 06:49

On a difficulty from 0-9, I'd consider this 2.

Edit: Not much to it. Took ~20 minutes to write the Keygen. Here is the sourcecode:

Code:



mov ah 9 | mov dx .mname | int h21

mov ah 10 | mov dx .name_buf | int h21



mov si .name_buf+1 | lodsb | cmp al 5 | jnb .lxt

    ret



; sum

:lxt | sub al 4 | mov cl al | lodsd | push eax | xor eax eax

:snl | lodsb | add ah al | loop .snl



; algorithm

mov al ah | push eax | bswap eax | pop ebx | or eax ebx | pop ebx

xor eax ebx | bswap eax | add eax h3022006 ; February 3rd, 2006

bswap eax | sub eax hDEADC0DE | bswap eax | inc al | inc ah | bswap eax

dec al | dec ah | bswap eax | xor eax hEDB88320 | bswap eax

add eax hD76AA478 | bswap eax | sub eax hB00BFACE | bswap eax

add eax hBADBEEF | bswap eax | inc eax | bswap eax | dec eax | bswap eax

add eax ebx | bswap eax | inc ax | bswap eax | inc ax



; inverse algorithm

sub al hef | xor al hcd | sub ah hab | xor ah h90

                     bswap eax

sub al h34 | xor al h12 | sub ah h78 | xor ah h56



push eax

    mov ah 9 | mov dx .mseri | int h21

pop edx



mov cl 4

 rloop | mov al dl | call bout | shr edx 8

 loop .prloop

ret



:bout

/hd4 16 | call $+3 | xchg al ah | cmp al 10 | sbb al h69 | das | int h29

ret



:mname | "Name: $"

:mseri | /13 10 "Ser#: $"



:name_buf

/30

Assembles to 230-byte Keygen

kami13x

March 4th, 2006, 14:21

T-T.... No obtaining serial number ....

ZaiRoN`s talks make out .. but no find serial number

i`m a beginner reverser T-T

name is hansir then what is serial name ? be eager to know

i will analogize why this serial is answer .

<first blank : name , second black : serial>

LLXX

March 4th, 2006, 20:45

Follow the algorithm. It's been extracted from the file and put in the source I posted above. Read through it.

BTW, is this a Korean keygen? All I see for the text are a bunch of ____

kami13x

March 4th, 2006, 23:58

.......... LLXX, your source is MASM ? this keygen is korean`s making.

how interpret your algorithm .. not to mention , asm command i know.

i`m from korean. so, on this score, i see this source for the first time.

by means of korean , i am interested in reverse engineering.

but i go with adversity. because of english ability is shortage.

how come in contact with reverse engineering by me .

asking advise for me . can you make tutorial ? T-T

i need to an example .

LLXX

March 5th, 2006, 01:47

너가 매우 영어 그때 나를 모르면 너를 묻는다 한국 반전 기술설계 웹사이트에 추천하십시요. 여기, 우리들을 이해하는것은 너가 단단하, 너를 이해하게 우리들을 위해 단단한.

If you don't know much English then I recommend you ask on Korean reverse-engineering websites. Here, it is hard for you to understand us, and hard for us to understand you.

ZaiRoN

March 5th, 2006, 05:58

kami13x,
did you try to step a single line of the keygenme? Which kind of tools are you using?

If you are a beginner you can start with something mentioned inside our faq:

Quote:

Is there a "most useful breakpoint"?
Hmmm, there is not any specific best one, but there are some common breakpoints to start with. For example: - if you have to catch when the application reads something from an edit box you can use one of: GetDlgItemTextA, GetWindowTextA

Start your analysis from here trying find how and where the serial is readed.

blabberer

March 5th, 2006, 14:33

well you have ollydbg the code is not obfuscated it coded in plain
asm
find where it reads your name and serial

hint enter a serial > 8 chars like 12345678

Code:



004011E7  |.  E8 F4010000   CALL <JMP.&user32.GetDlgItemTextA>    ; \GetDlgItemTextA

break there and single step through the whole code
with f7
and watch all over the screen

see what changes (the changes will be in red colour if you have default appearnce)

the first part of hash for you name should be

Code:



004030##                                      65 07 29 70              e)p

these following changes you should observe in the register

Code:



kami13x keygen name hash craeator

the hash is db

the hash is db00

the hash is dbdb

the hash is dbdb0000

the hash is dbdbdbdb

the hash is 736e6168

the hash is a8b5bab3

the hash is b3bab5a8

the hash is b6bcd5ae

the hash is aed5bcb6

the hash is d027fbd8

the hash is d8fb27d0

the hash is d8fb28d1

the hash is d128fbd8

the hash is d128fad7

the hash is d7fa28d1

the hash is 3a42abf1

the hash is f1ab423a

the hash is c915e6b2

the hash is b2e615c9

the hash is 2da1afb

the hash is fb1ada02

the hash is 6c898f1

the hash is f198c806

the hash is f198c807

the hash is 7c898f1

the hash is 7c898f0

the hash is f098c807

the hash is 6407296f

the hash is 6f290764

the hash is 6f290765

the hash is 6507296f

the hash is 65072970

the final hash is 70290765

now if you get through this part you can easily find the serial your name
hansir

i did a proto code just for referance its totally in c
if you understand that language its done on one to one basis
viz a viz asm

Code:



#include <stdio.h>

#define bswap_32(x) \

     ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >>  8) | \

      (((x) & 0x0000ff00) <<  8) | (((x) & 0x000000ff) << 24))



char name[25]= {0};

unsigned int hash;

int i,namelen,temp1,temp2,temp3,temp4,temp5,temp6,temp7,temp8, \

temp9,temp10,temp11,temp12,temp13,temp14,temp15,temp16,temp17, \

temp18,temp19,temp20;



int main ()

{

printf("kami13x keygen name hash craeator\n";

scanf("%[a-zA-Z0-9]%n",&name,&namelen);

if(namelen<5)

        {

                printf("you need a bigger name\n";

        }

else

        {

        for(i=4;i<namelen;i++)

                {



                        hash += (unsigned int)name[I];

                }

        printf("the hash is %x\n",hash);

        temp1 = hash << 8;

        printf("the hash is %x\n",temp1);

        temp1 = temp1 | hash;

        printf("the hash is %x\n",temp1);

        temp2 = temp1 << 16;

        printf("the hash is %x\n",temp2);

        temp2 = temp2 | temp1;

        printf("the hash is %x\n",temp2);

        for(i=3;i>0;i--)

                {

                        temp3 = temp3 | name[I];

                        temp3 = temp3 << 8;

                }

                temp3 = temp3 | name[0];

                printf("the hash is %x\n",temp3);

                temp4 = temp3 ^ temp2;

                printf("the hash is %x\n",temp4);

                temp5 = bswap_32(temp4);

                printf("the hash is %x\n",temp5);

                temp5 = temp5 + 0x3022006;

                printf("the hash is %x\n",temp5);

                temp6 = bswap_32(temp5);

                printf("the hash is %x\n",temp6);

                temp6 = temp6 - 0xdeadc0de;

                printf("the hash is %x\n",temp6);

                temp7 = bswap_32(temp6);

                printf("the hash is %x\n",temp7);

                temp7 = temp7 + 0x00000101;

                printf("the hash is %x\n",temp7);

                temp8 = bswap_32(temp7);

                printf("the hash is %x\n",temp8);

                temp8 = temp8 - 0x00000101;

                printf("the hash is %x\n",temp8);

                temp9 = bswap_32(temp8);

                printf("the hash is %x\n",temp9);

                temp9 = temp9 ^ 0xedb88320;

                printf("the hash is %x\n",temp9);

                temp10 = bswap_32(temp9);

                printf("the hash is %x\n",temp10);

                temp10 = temp10 + 0xd76aa478;

                printf("the hash is %x\n",temp10);

                temp11 = bswap_32(temp10);

                printf("the hash is %x\n",temp11);

                temp11 = temp11 - 0xb00bface;

                printf("the hash is %x\n",temp11);

                temp12 = bswap_32(temp11);

                printf("the hash is %x\n",temp12);

                temp12 = temp12 + 0x0badbeef;

                printf("the hash is %x\n",temp12);

                temp13 = bswap_32(temp12);

                printf("the hash is %x\n",temp13);

                temp13 = temp13 +1;

                printf("the hash is %x\n",temp13);

                temp14 = bswap_32(temp13);

                printf("the hash is %x\n",temp14);

                temp14 = temp14 -1;

                printf("the hash is %x\n",temp14);

                temp15 = bswap_32(temp14);

                printf("the hash is %x\n",temp15);

                temp15 = temp15 + temp3;

                printf("the hash is %x\n",temp15);

                temp16 = bswap_32(temp15);

                printf("the hash is %x\n",temp16);

                temp16 = temp16 + 1;

                printf("the hash is %x\n",temp16);

                temp17 = bswap_32(temp16);

                printf("the hash is %x\n",temp17);

                temp17 = temp17 + 1;

                printf("the hash is %x\n",temp17);

                temp18 = bswap_32(temp17);

                printf("the final hash is %x\n",temp18);

        }

return 1;

}

now make a complete keygen and tell you have succeded so that my
little effort bears fruit

LLXX

March 5th, 2006, 19:25

Is it just me or is the C version even harder to understand than my Asm one? It doesn't look like it'll work as well, since some of the increments and decrements are byte or word sized, leading to possible carry-over errors. Adding 0x101 may look like it'll work, but if AX was already FFFF then [inc al | inc ah] will produce 0000 while [add eax h0101] will produce 0100

This keygenme is more suited to dead analysis, since the code is short and lucid. Don't forget, the more you read Asm code like it was a story, the better you get at it!

kami13x

March 6th, 2006, 07:55

thank you , all reverser . very reinforcement !!

Reverser is job ? In the site all people , reversing is hobby?

So , hash is function? descrambling ?

blabberer`s code is apperance in ollydbg? register?

with F8 , tracing and watch register , none the less , No watched T-T

I know api function , I have breakpoint skill .

But why i dont see serial name in ollydbg ?

because of i watched serial name on register in ollydbg that i have solved

keygen me and crack me.

But this kegenme is almost watch in ollydbg. and name is kami13x then

serial name is 70290765 ? I dont have knowledged hash function ?

How find serial of genuine? I can too much question ?

I use ollydbg and more tools , e.g. I used to PointH plugin for serial fishing

I use that like your reverser use tools.

I try to unpacking and cracking . Not absolute biginner!!

Merely , I meet with this keygenme`s routine.

e.g ) I watch serial ,tracing Api function (with brack point VbaStrCmp)that I solved keygenme and crackme

developed by visual basic . or I solve break point api function of error msgbox by the C, C++

or divergence sentances (JE,JNZ) i find , edit by force jump ( JMP)

This keygenme is special ? Why i dont solve this keygenme ?

Finally, What do you think making my english sentance ?

1. beginner 2. intemediate 3. expert 4.master

and why do you think so ? (e.g. low vocabulary , low structure sentance )

That advise will help to me in english studing.

Repeatedly , Although I dont know more knowledge , I appreciated to this site users paticipate in my problem.

blabberer

March 6th, 2006, 11:03

@LLXX that conversion was exactly meant for one name

nothing more

and to show we can see what we see in ollydbg out of it

yeah there may be overflow bugs in the first loop itself

Code:



│ ....... ! loc_80483dd:                    ;xref j80483d9                     │

│ ....... !   mov         eax, [I]                                             │

│ 80483e2 !   add         eax, name                                            │

│ 80483e7 !   movsx       eax, byte ptr [eax]                                  │

│ 80483ea !   add         [hash], eax                                          │

│ 80483f0 !   inc         dword ptr [I]                                        │

│ 80483f6 !   jmp         loc_80483ce                                          │

what happens if we have hansirr

the al will over flow

Code:



the hash is 14d

the hash is 14d00

the hash is 14d4d

the hash is 4d4d0000

the hash is 4d4d4d4d

it was just a prototype nothing more

and i wasnt keygenning it

just showing a way to think

LLXX

March 6th, 2006, 22:39

Quote:

[Originally Posted by kami13x]thank you , all reverser . very reinforcement !!

Reverser is job ? In the site all people , reversing is hobby?

The person who does the reversing is the reverser.

Quote:

[Originally Posted by kami13x]But why i dont see serial name in ollydbg ?

Because this keygenme works differently. It computes a dord out of the name entered and then converts the serial entered into another dord, which is also calculated on before comparison. It doesn't just go one way:

Code:



Name -------> Dord <------- Ser#

      calc1          calc2

If you want to keygen, calc1 will run in the normal direction but you will have to reverse calc2.

Quote:

Finally, What do you think making my english sentance ?

1. beginner 2. intemediate 3. expert 4.master

and why do you think so ? (e.g. low vocabulary , low structure sentance )

That advise will help to me in english studing.

1. 나는 너를 이해할 수 있는다, 그러나 너는 향상시킨것을 필요로 한다.

Maximus

March 7th, 2006, 20:54

Quote:

[Originally Posted by kami13x]
and why do you think so ? (e.g. low vocabulary , low structure sentance )
That advise will help to me in english studing.

If I may give few suggestion:
1) read alot

the more you read, the better your english will become. One day you will write your comments in english, because you think in english.
2) if you are learning english by yourself, I strongly suggest you to learn very very well the grammar. It is the backbone on which you build anything. If you know many words, but have a bad syntax, your english will be bad. If you know few words, but you can use them well, your english is

-So, focus on grammar to quickly improve your english.

Try to find some old grammar -the older the better

They are more focused on grammar.

Keep on reversing, and your english will slowly become like your Korean